User Authentication
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know. It is a fundamental security building block, being the basis of access control and user accountability. Description There are two steps to user authentication: *Identification - This specifies the identifier. *Verification - This binds the entity (user) to the identifier. This checks data provided by the user against previously stored data. Means of User Authentication There are four different means of authenticating a user's identity based on something a user: *knows (e.g. a PIN or password) *possesses (e.g. a key or token) *is (static biometrics) *does (dynamic biometrics) These can each provide user authentication, but they also have their own issues. You can combine them for overlapping protection. Password Authentication This is a widely used and accepted method of user authentication. The user provides a name or login account as well as a password. The system then compares this information to data it has stored on the login. Once the identity is authenticated, it ensures the user is authorized to access the system and determines the user's privileges. Remote User Authentication Authentication over a network becomes a complex task. System administrators have to worry about problems of eavesdropping and replay. Challenge-response is a commonly used method that works as follows: #The user sends his identity. #The host responds with a random number. #The user computes a new value f(r,h(P)). The random number, r, along with a hash of the user's password, is taken as a parameter for a function, f, that returns the new value. #The host then compares this value with its own computed value. If they match, the user is authenticated. This method allows the host to store only the hashes of the passwords instead of the user's passwords themselves. If an attacker gains access to the host machine, he will be unable to view a user's password. In addition, it helps to combat replay attacks by utilizing the random number. This way, no two authentications for a user will be identical. Use of Hashed Passwords UNIX Implementation In the original scheme, UNIX systems used a hash routine called crypt(3). This truncated any passwords to 8 characters in length and used a simple 56-bit key. crypt(3) produces a 64-bit output. This is now regarded as woefully insecure, though it is still sometimes used for compatibility. Improved Implementations Many systems now use MD5. It has a 48-bit salt, the password length is unlimited, and is hashed 1000 times with an inner loop, making it far slower than crypt(3). This algorithm produces a 128-bit hash. OpenBSD uses the Blowfish block cipher hash algorithm called Bcrypt. Password Vulnerabilities *Offline dictionary attack on a system password file. *Specific account attack. *Popular password attack on a range of user IDs. *Password guessing against a single user. *Workstation hijacking. *Exploiting user mistakes (poor password choices, writing down passwords, social engineering attacks) *Exploiting multiple password use. *Electronic monitoring. **Passwords transmitted in the clear. **Hardware/Software keyloggers. Rainbow Tables A Rainbow Table precomputes hash values for possible combinations of characters. This produces a mammoth table of hash values. In 2003, the Ophcrack program used a 1.4GB Rainbow Table to successfully crack 99.9% of alphanumeric Windows XP passwords in only 13.8 seconds. Windows XP made the following mistakes: *Use of an LM hash with no salt. *Converts input to all uppercase letters. *Splits passwords into 7-byte pieces and creates a hash for each piece. The size of a Rainbow Table is based on the: *Number of common passwords. *Number of characters in a password. *Types of characters in a password. *Size of the salt. *Size of the hash. Countermeasures *Stop unauthorized access to the password file. *Intrusion detection measures. *Account lockout mechanisms. *Automatic workstation logout. *Encrypted network links. *Policies against using common passwords but rather hard to guess passwords. *Training and enforcement of policies. Token Authentication The user possesses an object that is used to authenticate his identity. Examples include: *Embossed cards *Magnetic stripe cards *Memory card *Smartcard Memory Card These items store, but do not process data. They may include magnetic stripe cards, electronic memory cards, or other equivalent objects. Used alone, they can provide physical access, or can be combined with a password or PIN for access to electronic systems. Drawbacks include the need for a special reader, issues with loss of the token object, and user dissatisfaction. Smartcard This card appears similar to a credit card. It has its own processor, memory, and I/O ports. It may provide wired or wireless access by a reader. It can also use a cryptographic co-processor. The smartcard includes ROM, EEPROM, and RAM memory. The card itself executes the protocols to authenticate the user with the reader or computer. Biometric Authentication These systems authenticate a user based on one or more of their physical characteristics. A biometric sensor reads information about your body, then extracts the necessary features from this data. It checks these features against prerecorded data about the user in the same fashion as traditional systems compare input data to stored password hashes. The accuracy of biometric authentication is based on thresholds. It is nearly impossible to ever get an identical match between one session and another from the same user. Unlike passwords, if the features extracted are similar enough to the prerecorded characteristics, that is, within a tolerable threshold, the user is considered authenticated. This can, in some cases, result in problems with false matches and false non-matches.